NAC with CTA and VPN Concentrator, Does not detect CTA client

lkc · ‎10-13-2005

Hi all,

I've been working hard to solve a problem with CTA client NAC posture validation across a VPN 3000 Concentrator.

I have a fully working setup with routers for phase 1 NAC. When i plug a PC into a switchport everything with NAC works perfectly.

Then i've tried doing the same on my vpn concentrator. But when i plug exactly the same pc onto my public interface and start a VPN client. I'm being authenticated and gets access. But the access is as a "Clientless" or non-responsive/unknown client !! (even the access-lists for my clientless clients are being downloaded and works). So the connection to the ACS works.

But what is wrong ? since the VPN concentrator does apparantly not detect the CTA client ?

I've tried changing the public filter and allowing all incoming UDP. But it still does not work.

Do anyone have any pointers on this subject ?

Thanks in advance,

Lasse,

marcbutler · ‎11-01-2005

Hi Lasse

Hope you are well. I am not sure how much help I can be on this (as I am having trouble getting the router to talk to the ACS), but I did find that whenever I tried to connect, the debugs on the router said CTA not detected. I am also running a Cisco VPN client. So I turned off the firewall and immediately, the router recognised that the Trust Agent was there. Could this be your problem?

Now, back to try and get my 2811 to talk to the ACS (very odd)!

cjdock123 · ‎11-17-2006

Hi Lasse,

Any luck resolving this? I have a simular problem with my VPN concentrator/ASC Radius set-up. PV tokens doen't seemed to be passed. Cisco says I'm missing a posturevalidation.dll from my acs install directory. Does your set-up have this file?

Thanks,

Chuck